vBulletin has many features built-in to help keep your data safe but if your server is not secure then your data can be jeopardized. There are several steps to secure your vBulletin Installation. Most of them involve server configuration and settings outside your the vBulletin Application. However these things provide the foundation your security will be built on.
Securing Your Server
Securing or “Hardening” your server is beyond the scope of this document but is an important step to creating a secure environment for your data. Most hosting providers will provide this service if you have a dedicated machine so you should work with them to make sure your machine is as secure as possible. Below are some links that will help you.
- Linux Kernel Hardening
- Installing and Securing IIS Servers
- Securing Apache
- Securing PHP
- Securing MySQL
Please note, that if you are on a shared server you must rely on your hosting provider to secure your server for you.
Accessing Your Server
How you access your server can undermine any security protocols you put into place. It is recommended that you use SFTP (SSH File Transfer Protocol) and SSH (Secure Shell) access to directly access your server and files. These are secure versions of the common FTP and Telnet protocols. SFTP and SSH will send passwords in an encrypted format whereas FTP and Telnet send them in plaintext.
You can find out more about these protocols at Wikipedia.com
SFTP: http://en.wikipedia.org/wiki/SSH_file_transfer_protocol
SSH: http://en.wikipedia.org/wiki/SSH
Root Accounts
Root or Super User accounts are a necessity if you maintain your own server but they are a security nightmare. You should never access your server directly with a Root Account unless you can absolutely guarantee a secure tunnel between your access point and the server itself. You can do this with a Virtual Private Networking protocol on both your server and the computer you access the server with. Not all servers will support this though and your datacenter might not allow the installation of the software to allow it.
If you are using Linux or Unix, you can create a usergroup called a “Wheel Group“. This is a group of users that once logged in through SSH, can issue a command to switch to a superuser. This is the only way you should access your superuser accounts without a VPN connection.
Restricting Access
Restricting unauthorized access to your files is one of the most important things you can do. If someone has access to your files, they can alter them to send data to them or they can access your database directly with the information given.
The most common method of authorizing someone is called “Basic Authorization. The Basic authentication method transmits user names and passwords across the network in plaintext or unencrypted form. A computer vandal could use a network monitoring tool to intercept this information. You can use your Web server’s encryption features, in combination with Basic authentication, to secure user account information transmitted across the network.
.htaccess
.htaccess is how you can easily secure files in Apache. It allows you to use Apache’s configuration directives without editing the default configuration file (httpd.conf). This makes it useful for communities on shared or virtual hosting or dedicated hosting.
There are a lot of things you can do with .htaccess but we are concerned with denying access to specific files and directories.
NTAUTH
Windows comes with a permissions system often referred to as NTAUTH. It is part of the NTFS file system and integrated into IIS and other server technologies in Windows. For instructions on how to use this to protect your server please see Microsoft’s IIS Documentation.
Alternatives to NTAUTH
IISPassword is a free utility that can be installed on your IIS server. IISPassword uses Basic HTTP Authentication for password protecting web sites on IIS, just like htaccess works on Apache. That makes your password protected Apache web site compatible with IIS, and vice versa.
CHMOD, or File Permissions on your Unix/Linux System
You can control who has access to files on your servers beyond whether a web browser can call them up and have the server execute them. This is based on file permissions and can help to protect your files if someone gains unauthorized access to another portion of the machine. File permissions will help protect your site more on a shared server which has many people accessing it than they will on a server that only you have access to. However it is a good practice to only give the minimum permissions that you need to give and allow your site to work properly.
In our case, the web server application needs to be able to read your vBulletin files as long as PHP is installed as an Apache or ISAPI Module. If you are using the CGI executable, then they will probably need Execute permissions as well. In Linux and Unix, you change permissions using a tool called CHMOD which lets you set the permissions.
CHMOD can use either bitkeys, a series of numbers to designate permissions, or letters to represent the permissions. Both of these can be confusing to the uninitiated. Using the numbers results in more concise commands with the same number of control. You will see these commonly referred to in technical documents.
To set the permissions for your vBulletin files, with PHP as a Apache or ISAPI module, you would type the following in your command prompt on the server:
chmod 644 *
This tells the server that the owner of the file (you) has permission to read and write to the files but everyone else only has permission to read them.
If your hosting provider tells you that you need Read and Write permissions on your files then you would use this command:
chmod 755 *
A more indepth tutorial on CHMOD can be found here: http://catcode.com/teachmod/index.html. Most modern SFTP clients can handle this automatically though a properties dialog on the context menu. Refer to your client software for documentation on how to do this.
Please Note: If an attacker gets root access to your machine, there is no way to protect your files with permissions. They will be able to access everything. If this happens you will need a recent backup so you can recover your site.
Search
Popular Resources
- Phorum-5.2.9a released (6 replies) - 12629 Views
- Phorum-5.2.8 final released (13 replies) - 5844 Views
- Phorum-5.2.9 released! Security Upgrade! (1 reply) - 2894 Views
Powered By
